Coordinated Disclosure Timeline
- 2024-10-10: Reported through GitHub’s Private Vulnerability Reporting (PVR).
- 2024-10-14: Fixed in e0fb8f9
Summary
Appsmith is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.
Project
Appsmith
Tested Version
Latest changeset at the time of reporting.
Details
Code injection in ci-test-limited.yml
(GHSL-2024-277
)
The ci-test-limited.yml
is a reusable workflow, i.e. it can be triggered from other workflows on workflow_call
. In the Set Commit Message
step a potentially untrusted commit message, if defined, is used in a bash script in unsafe manner by using ${{ env.
interpolation:
- name: Set Commit Message
env:
EVENT_COMMITS: ${{ toJson(github.event.commits[0].message) }}
run: |
if [[ ${{ inputs.pr }} -ne 0 && ${{github.event_name}} == 'repository_dispatch' ]]; then
echo "COMMIT_INFO_MESSAGE=${{ env.COMMIT_INFO_MESSAGE }}" >> $GITHUB_ENV
elif [[ ${{ inputs.pr }} -ne 0 && ${{github.event_name}} == 'workflow_dispatch' ]]; then
echo "COMMIT_INFO_MESSAGE=Workflow run on PR# ${{ inputs.pr }}" >> $GITHUB_ENV
else
if [[ '${{env.EVENT_COMMITS}}' == 'null' ]]; then
echo "COMMIT_INFO_MESSAGE=${{ github.event_name }} by ${{ env.COMMIT_INFO_AUTHOR }}" >> $GITHUB_ENV
else
echo "COMMIT_INFO_MESSAGE=$(echo \"${{ env.EVENT_COMMITS }}\" | awk -F '\\\\n' '{print $1}' | sed 's/^\"//')" >> $GITHUB_ENV
fi
fi
The first unsafe usage is on line if [[ '${{env.EVENT_COMMITS}}' == 'null' ]]; then
and the second one on echo "COMMIT_INFO_MESSAGE=$(echo \"${{ env.EVENT_COMMITS }}\" ...
.
A malicious commit would be able to inject a bash command in the script. For example ' == '' || 1 ]]; then id #
would execute id
command.
Impact
The attacker would be able to steal DOCKER_HUB_USERNAME
, DOCKER_HUB_ACCESS_TOKEN
and multiple CYPRESS_*
secrets and get full write permissions to the repository:
GITHUB_TOKEN Permissions
Actions: write
Attestations: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
Resources
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2024-277
in any communication regarding this issue.